Privacy Notice – Personnel General This document describes the processing of personal data in Abloy Oy’s human resources administration. This privacy notice provides the data subject and the supervisory authority with the information required by the European Union’s General Data Protection Regulation (GDPR 679/2016). Controller and contact details Name: Abloy OyPostal address: Wahlforssinkatu 20, 80100 Joensuu, Finland.Telephone (exchange): +358 20 599 2501Business ID: 0774324-5Email address: firstname.lastname@example.orgThis email address is to be used only for addressing matters related to data protection. For all other matters, the correct contact information can be found from www.abloy.com. Whose data is processed? The data subjects are individuals who are or have been in an employment or managerial relationship with Abloy Oy and, with limited information, temporary agency workers and consultants. What is the purpose and legal basis for processing personal data? The processing of personal data is necessary in order to fulfil the data controller’s statutory obligations, to implement an employment or management contract to which the data subject is party, and to fulfil the legitimate interests of the data controller. The processing of personal data of temporary agency workers and consultants is necessary based on the legitimate interests of the data controller in order to fulfil the service agreement. The data controller ensures that processing based on legitimate interests is correctly proportional to the interests of data subjects and is in line with their reasonable expectations. Personal data is used to maintain information about data subject’s employment relationship with Abloy Oy, exercise the employer’s supervisory and direction rights, process and pay compensation for travel and other expenses, forward calls and contact, maintain records of working hours, provide occupational healthcare services, manage skills, training and employee benefits, pay salaries, maintain contact with the authorities, compile statistics, process requests for certificates and salary information, manage equipments and define information about the access rights to data systems required by employees. Personal data groups of the data subject Purpose of processing a data group Basis of data processing Basic personal data Identification of individuals, granting user and access rights, mailing (e.g. salary certificates), contact (e.g. in emergencies), and statistics Contractual and statutory obligations Work contact information Carrying out work-related tasks via email and/or by telephone Contract Employment information Basic employment information for payroll accounting, paying compensation for travel and general expenses and maintaining records of working hours. Background information for calculating pensions, collecting employee association fees and compiling statistics Contractual and statutory obligations Investigations carried out at the beginning of employment (internal recruitment) Study certificates and other important documents considering the position are verified. The occupational healthcare service provider assesses the applicant’s state of health. Credit information is checked in positions where the applicant is required to show special trust and direct financial responsibility. A concise security clearance or a security officer identity card must be applied for in positions, for which background information needs to be checked. In addition, an aptitude test can be conducted. Legitimate interest of the data controller. The information is necessary in order to succeed in the recruitment process and to assess the applicant’s suitability. The processing of credit information during the recruitment process is based on the applicant’s consent. Introduction information Verifying introduction regarding the employee’s work and working conditions, the correct use of tools and safe working methods Verifying introduction regarding the employee’s work and working conditions, the correct use of equipments and safe working methods Information about equipments and access rights Management of equipments and access rights Legitimate interest of the data controller. By recording information about equipments and access rights, it is ensured that personnel has adequate equipments and access rights with respect to their working tasks. Additionally, the access rights’ traceability is ensured. Salary information and payroll accounting results Payroll accounting, taxation, pensions, statistics and other official purposes Contractual and statutory obligations Information about absences and holidays Management and monitoring of absences and holidays Contractual and statutory obligations Working hours registrations Working hours monitoring and hourly registrations for payroll accounting Contractual and statutory obligations Information about substitute arrangements Defining the right to substitutes and carrying out tasks during substitute arrangements Legitimate interest of the data controller Discussions of the ability to work Assessing the ability to work after an extended absence Legitimate interest of the data controller and statutory obligation. With discussions of the ability to work, it is ensured whether something can be done at the workplace in order to prevent falling sick. Performance appraisals Defining task-specific goals and preparing a competence development plan Legitimate interest of the data controller. An individual’s work and know-how can be improved based on performance appraisals. Job descriptions Describing the content of tasks and defining the difficulty of tasks in accordance with the collective agreement Legitimate interest of the data controller. The job requirements, as provided in the collective bargaining agreements, affect the salaries directly and are defined in the job descriptions. Culture and exercise benefits Granting and managing employee benefits Agreement and the legitimate interest of the data controller. Personal data is required in order to grant the benefits to the right persons. Work- and training-related travel and expense reports Monitoring working hours during travel and paying travel expense compensation, daily allowances and other expense compensation Legitimate interest of the data controller and statutory obligation. In order to ensure the validity of the payment of travel time pay, daily allowance and reimbursement of expenses. Skills Securing the skills required in business activities and tasks Legitimate interest of the data controller. Maintaining information related to skills is required in order to ensure adequate know-how in different working tasks and substitution. Contact information of the next of kin Establishing contact in the case of an accident or illness Protecting the vital interests of data subjects The data controller does not carry out any automated decision making. What personal data is processed? Abloy job applicants and employees Personal data group Data content Basic personal data First names, calling name, last name, telephone number (work/home), address, email address (work) Personal identity code, date of birth, ID number (work), gender, native language, nationality. Contact details of a next of kin provided by the person Date of joining the company Work contact information Tasks, work mobile number, extension, substitute arrangements and photo Employment information Bank account, tax card, pension insurance, employee association fee information, basic employment data, fringe benefits, statistical groups, posting data, location and supervisor Investigations carried out at the beginning of employment References, state of health, aptitude test, credit information, security clearance and verification of identity Introduction training information Introduction completed and approved Information about equipments and access rights Information about given and returned equipments, access rights and their approval Salary information and payroll accounting results Euro-denominated hourly and/or monthly salary used as the basis of salary payments Suggestion and invention compensation paid, travel time, alarm and on-call duty compensation, non-recurring items and euro-denominated values of fringe benefits Realised hours and amounts in payroll accounting (salary transactions, gross and net salary, deductions and manual corrections) Information about absences and holidays Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods Discussions of the ability to work Discussion date, estimate of factors leading to absence from work, opportunities to prevent such factors and approval Working hours registrations Background settings for working hours registrations, registered working hours and resulting working hours Information about substitute arrangements Substitutes during holidays and absences Educational and work history Education, studies, previous work experience and certificates Performance appraisals Content and date of performance appraisals, goals and competence development plan Job descriptions Most recent revision, position and its content Culture and exercise benefits Granted benefits, validity date and information about specific benefits Skills Skills in tasks, goals and information about starting to learn a new skill Telephone directory of the ASSA ABLOY Group First and last names, title, company, location of company, address of company, work telephone number, Skype address, department, skills, email, language and photo. Temporary agency workers and consultants Personal data group Data content Basic personal data First names, calling name, last name, date of joining the company Work contact information Tasks, work phone number, work email address Information about equipments and access rights Information about given and returned equipments, access rights and their approval Information about absences and holidays Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods Working hours registrations Background settings for working hours registrations, registered working hours and resulting working hours Telephone directory of the ASSA ABLOY Group Title, company, location of company, address of company, work telephone number, Skype address, department, email, language How is personal data collected? The data stored on data subjects is data provided by the data subjects themselves. Those data subjects who have access rights to the personal data register system can maintain their own basic personal data. The basic personal data of temporary agency workers and consultants are received from respective employers. In addition, data is maintained and updated using data produced by the authorities, partners and the data controller during the employment relationships of data subjects. When data is collected from sources other than data subjects, the consent of each data subject must be requested for the collection of data in accordance with the Act on the Protection of Privacy in Working Life (759/2004). However, no consent is needed when an authority transfers data to Abloy in order to carry out a task defined in the legislation or when the employer obtains credit information or information from criminal records in order to identify the reliability of an individual. If Abloy identifies the reliability of an individual, it will notify data subjects of this beforehand. If data is collected from sources other than data subjects, Abloy will notify data subjects of the data obtained before it uses it to make decisions on employees. Who will the data be transferred to? Abloy employees Recipient Purpose of the disclosure Tax administration Paying taxes Social Insurance Institution (Kela) Paying compensation for sick, family and other leave Employee associations Paying employee association membership fees Execution authorities Paying execution costs Insurance broker Processing the company’s insurance data Insurance companies Calculating employee pensions and processing compensation to be paid for accidents Unemployment office services Alternation leave notifications Occupational healthcare Maintaining health records Security services Maintaining facility security Online salary calculation operator Electronic payslips for employees Telecom operator Mobile services, exchange services and internet subscriptions Travel agency Booking and invoicing work travel Exercise and culture benefit provider Management of employee benefits Printing shop Address information for the personnel magazine Training service provider Personnel training Patent office Processing invention reports ASSA ABLOY Group Salary information about managerial relationships and specifications to personnel reporting Telephone directory of the ASSA ABLOY Group Contact within the Group Service providers Maintenance and support tasks for data systems Central statistical office of Finland Statistics Conferedation of Finnish Industries Statistics Temporary agency workers and consultants Recipient Purpose of the disclosure ASSA ABLOY konsernin puhelinluettelo Konsernin sisäinen työhteydenpito Is personal data processed outside the European Union? Abloy Oy transfers and discloses personal data to the ASSA ABLOY Group outside EU / EEA area for Group control purposes and for the organization of the Group’s operations. The service provider of the employees’ travel booking and travel expense services may give access to personal data of the services to its support organizations located in India, the U.S.A. and Australia. When transferring data outside the EU or EEA, we use standard contractual clauses approved by the EU Commission in order to protect the data properly. For further information, please visit EU Commission’s web site. What are the storage periods for personal data? The data collected in the register will be kept for as long as necessary, and to the extent necessary, for fulfilment of the original or compatible purposes for which the personal data was collected. Personal data groups Storage time Basic personal data 10 years after the end of employment Work contact information 3 months after the end of employment Employment information 10 years after the end of employment Investigations carried out at the beginning of employment 5 years after the end of employment Introduction information 3 years after the end of employment Information about tools and access rights 3 months after the end of employment Salary information and/or history (euro-denominated values on which salary payments are based) 6 years from the end of the year during which salary was paid Payroll accounting 10 years after the end of the financial period Pay sheets 50 years after the end of the financial period Statement of accounts listings for memberships 10 years after the end of the financial period Information about absences 10 years after the end of employment Discussions of the ability to work 2 years after the discussion Working hours registrations 5 years after the expiry of salary receivables Holidays 6 years from the end of the year during which salary was paid Information about substitute arrangements 3 months after the end of employment Educational and work history 10 years after the end of employment Performance appraisals 3 months after the end of employment Job descriptions 3 months after the end of employment Culture and exercise benefits 3 months after the end of employment Working hours records 10 years after the end of the financial period Work- and training-related travel and expense reports 10 years after the end of the financial period Skills 1 year after the end of employment Results of occupational health and safety elections 10 years after the end of employment The aforementioned storage periods can be deviated from if it is necessary in order to investigate any misuse or to fulfil the data controller’s lawful claim. What are data subject’s rights? Right of Access The data subject is entitled to obtain confirmation from the controller as to whether the personal data of the data subject is being or has been processed. If the data controller processes the personal data of the data subject, the latter is entitled to the information of this document, as well as to a copy of the personal data that is being or has been processed. If a data subject makes a request electronically and has not requested any other form of delivery, the data will be provided in a generally available electronic format that is compatible with secure delivery of the data. Right to Correct or Erase Data Data subjects have the right to request the controller to correct or erase their personal data. Under certain circumstances, data subjects have the right to request processing of their personal data to be restricted, or to otherwise object to the processing of data. In addition, data subjects may request the transfer of data submitted by the data subjects themselves in a machine-readable form based on the General Data Protection Regulation. Consent withdrawal If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. The right to object to the processing The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data when the processing is based on the legitimate interest of the controller or a third party. How can data subjects exercise their rights? In all matters involving the processing of personal data, data subjects have the right to contact the controller. All requests mentioned in the present document must be submitted to the above mentioned contact point of the controller. Data subjects also have the right to file a complaint with the supervisory authority if their personal data is or has been processed unlawfully. How is personal information protected? Abloy Oy processes personal data safely and in compliance with the applicable legislation. Protection of personal data by Abloy Oy is adequate both technically and organisationally. The data is stored in locked premises that are accessible only to authorised persons. Personal data stored in the systems is accessible only to pre-designated persons who need the information for work-related tasks. IT environments are protected by adequate firewalls and other forms of technical protection. With regard to the processing of personal data, Abloy Oy’s employees and other persons must abide by their obligation of secrecy and must handle personal data confidentially. Updating Privacy Notice We will update and change this privacy notice when necessary. We will notify you of such changes at Abloy’s www-site https://www.abloy.com/en/site-functions/privacy-centre/privacy-notices/. 18th December 2019. This privacy notice has been made: 8th October 2019.